Besieged Bank Clues In Customers About Disrupted Service

By Erika Morphy
Jan 7, 2013 5:00 AM PT

PNC Bank took an unusually open approach with its customers recently. It sent a letter apologizing for any inconvenience they might have experienced recently when the bank was battling denial of service attacks assumed to have been launched by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters.

"In some cases, those measures also may have blocked access to a small percentage of legitimate PNC customers for an extended period," the letter said. "We sincerely apologize to those affected."

The Basic Rule of Banking

To state the obvious, if a bank wants to keep its customers, those customers must feel secure in its ability to protect their money and identities. It also helps if customers feel their money and bank information is easily accessible.

Sending a letter reminding customers of an incident in which some of them were not able to easily access information about their accounts -- and worse, explaining that malfeasance was the underlying reason -- would seem to go against every PR playbook in existence.

Or maybe not.

Actually from a PR standpoint what PNC Bank did was very smart, David Johnson, principal of Strategic Vision, told CRM Buyer.

For starters, "if you look at all the institutions of which the public is distrustful and dislikes, banks are definitely up near the top."

In other words, the public is already prepared to believe the worst about banks in terms of their security and customer policies, he said.

Openly apologizing and discussing the issue is a refreshing change, according to Johnson.

Also, it takes away a club -- at least one of them -- with which critics can beat the bank.

"Now no one can accuse the bank of hiding or covering up something," Johnson said.

A final point in PNC's favor: An apology can draw a favorable contrast with how competitors and have handled similar issues, he pointed out.

Indeed, this particular group disrupted a number of banks' operations with denial of service attacks. Furthermore, last month they warned that other attacks would be forthcoming.

Not a Threat

To be sure, PNC Bank took pains to emphasize that customer information and assets were not at risk from the attack. People with even a general understanding of the Internet and technology probably realize that, said Robert Siciliano, CEO of
IDTheftSecurity.com, but it doesn't hurt to remind them.

"Denial of service attacks, if handled properly, is only a nuisance and an inconvenience and generally is not a security threat to the banks clients information," he told CRM Buyer.

"There's nothing wrong with explaining what the problem is and how it will -- and more importantly will not -- affect the banks clients," he said.

A New Trend, a New Trick

"I applaud this direct communication!" he told CRM Buyer. "I expect some consumers won't understand it, but over time, this kind of communication could become as common as a weather report -- and that would definitely be a good thing for consumers."

There is a downside, however, Keanini added: Attackers could mimic it very convincingly to launch phishing attacks or steal login and password credentials.

"This problem isn't specific to banks," he noted. "Everyone that communicates with their customers through email is at risk, and there's very little businesses can do about it. Even if they sign the email cryptographically, recipients almost never take the time to check for authenticity."

Still, PNC's move to educate its clients was critical, Keanini said.

"The Internet isn't going to get any safer until we all pay more attention to security."

A PNC Bank spokesperson was not immediately available to comment for this story.